The American company Cloudflare, specializing in web infrastructure and site security, announced in a blog about the launch of an open bug search program.
Users can submit bug reports through their Cloudflare profile on HackerOne. Also on the page for developers is available API documentation, information on working with various internal Cloudflare services, training materials, a sandbox and a forum.
The awards are given according to the CVSSv3 vulnerability assessment rating, the list is presented below:
Danger
Critical (9.0 - 10.0)
High (7.0 - 8.9)
Medium (4.0 - 6.9)
Low (0.1 - 3.9)
High priority
$3000
$1000
$500
$250
Low priority
$2700
$750
$350
$200
Other
$2100
$500
$200
$100
This is the third launch of Cloudflare's bug bounty program. The first one came in 2014. During the existence of the initiative, the company received 1,197 reports, but only 13% of the total number of requests turned out to be reliable. Cloudflare did not provide details about the operation of its services, and the researchers could not distinguish the error from the planned scenario. Also, no money was paid under the program - enthusiasts received branded T-shirts as a gift.
By 2018, Cloudflare had built a knowledge base of its products and launched a private bug-finding program. By mid-January 2022, the company had paid $211,000 in rewards for 292 out of 430 reports.
Now the bug bounty is open to everyone and Cloudflare representatives have promised to constantly supplement the knowledge base with new information.
bbabo.Net